From Pixels to Phishers

Over the past year, we’ve seen a huge jump in the number of mass downloader spyware. These small executable files have just one job, and they do it very well: They pull down huge numbers of additional installers, which in turn place a large number of password stealing Trojans, ad-clickers, and still more downloaders on the unfortunate victim’s PC.

The trend appears to be that most of the servers from which these phishing Trojans originate are registered within China’s .cn top-level domain, and the phishers themselves target (mostly) the login details for online multiplayer videogames played, primarily, in China, and in some cases, more widely in Asia.

Putting aside the rationale for what the phishers target (the goal may be purely financial, but that’s a discussion for another time), what’s really interesting is how the techniques to massively infect a victim’s PC have evolved, possibly to avoid network-based signature detection techniques that can identify Windows executable files while they’re traveling over the wire. It also seems that the various groups appear to compete with one another, even going so far as to block the domains used by competing groups’ downloaders once they’ve infected the machine.

So not long ago, another interesting mass downloader development seemed to drop into my work queue. These downloaders pull down bitmap images — not just executables with a different file extension, but real graphics files — then convert the color data into binary code, which transforms the data in the picture file into a small executable phisher installer.
Like most mass downloaders we’ve seen for the past year, this one first contacts a Web server, pulls down a list of URLs, and then contacts some or all of the URLs to obtain the payload files. Nothing new here, except that the payload files happen to be these weird bitmap images, 12 pixels wide, and as tall as required to contain all the data.

Here’s a breakdown of how it appears in a graphics editing program:

And you can see consistent sets of structures repeated in several of the files.

Once the bitmaps are pulled down, they’re immediately processed into executable files; The output of that processing is a small .exe that, when executed, drops a DLL in the Fonts folder, and adds some registry keys to load that DLL, then deletes itself. We detect the initial downloaders as Trojan-Downloader.gen and the payloads as Trojan-PWS-Atl, and can remove them fairly easily, though full cleanup requires a reboot, as the DLLs remain loaded in memory even after the files are deleted.

One final note about the destination folder: Malware that takes advantage of the Fonts folder’s behavior seems to be growing in popularity, probably because sticking malware in the Fonts folder is a kludgey way to hide the files from view.

Windows doesn’t display the contents of the Fonts folder as it does most other folders. Anything that isn’t actually an installed font won’t appear to be there when you navigate to c:windowsfonts using Explorer. The one workaround is to unregister fontext.dll, which controls the display within the Fonts folder, but doing that also prevents you from installing new fonts into the system. Most people won’t want to bother, so the infection will remain hidden from view until they delouse their PC.